/** * Creates a new {@code CertPathBuilder} instance from the specified * provider providing the specified algorithm. * * @param algorithm * the name of the algorithm. * @param provider * the name of the provider. * @return a builder for the requested algorithm. * @throws NoSuchAlgorithmException * if the specified provider cannot provide the algorithm. * @throws NoSuchProviderException * if no provider with the specified name can be found. * @throws NullPointerException * if algorithm is {@code null}. * @throws IllegalArgumentException if {@code provider == null || provider.isEmpty()} */ public static CertPathBuilder getInstance(String algorithm, String provider) throws NoSuchAlgorithmException, NoSuchProviderException { if (provider == null || provider.isEmpty()) { throw new IllegalArgumentException("provider == null || provider.isEmpty()"); } Provider impProvider = Security.getProvider(provider); if (impProvider == null) { throw new NoSuchProviderException(provider); } return getInstance(algorithm, impProvider); }
try pathBuilder = CertPathBuilder.getInstance( "PKIX", "BC" ); pathBuilder = CertPathBuilder.getInstance( "PKIX" );
CertPathBuilder cpb = CertPathBuilder.getInstance("PKIX"); X509CertSelector certSelector = new X509CertSelector(); certSelector.setCertificate(x509Certificates[0]);
final CertPathBuilder pathBuilder = CertPathBuilder.getInstance( CertPathBuilder.getDefaultType() ); final CertPath cp = pathBuilder.build( params ).getCertPath();
/* Givens. */ InputStream trustStoreInput = ... char[] password = ... List<X509Certificate> chain = ... Collection<X509CRL> crls = ... /* Construct a valid path. */ KeyStore anchors = KeyStore.getInstance(KeyStore.getDefaultType()); anchors.load(trustStoreInput, password); X509CertSelector target = new X509CertSelector(); target.setCertificate(chain.get(0)); PKIXBuilderParameters params = new PKIXBuilderParameters(anchors, target); CertStoreParameters intermediates = new CollectionCertStoreParameters(chain) params.addCertStore(CertStore.getInstance("Collection", intermediates)); CertStoreParameters revoked = new CollectionCertStoreParameters(crls); params.addCertStore(CertStore.getInstance("Collection", revoked)); CertPathBuilder builder = CertPathBuilder.getInstance("PKIX"); /* * If build() returns successfully, the certificate is valid. More details * about the valid path can be obtained through the PKIXBuilderResult. * If no valid path can be found, a CertPathBuilderException is thrown. */ PKIXBuilderResult r = (PKIXBuilderResult) builder.build(params);
pkixParams.addCertStore(intermediateCertStore); CertPathBuilder builder = CertPathBuilder.getInstance("PKIX", "BC");
private void validateChain(final List<Certificate> chain, final Certificate cert) { final List<Certificate> certs = new ArrayList<Certificate>(); final Set<TrustAnchor> anchors = new HashSet<TrustAnchor>(); certs.add(cert); // adding for self signed certs certs.addAll(chain); for (final Certificate c : certs) { if (!(c instanceof X509Certificate)) { throw new IllegalArgumentException("Invalid chain format. Expected X509 certificate"); } final X509Certificate xCert = (X509Certificate)c; anchors.add(new TrustAnchor(xCert, null)); } final X509CertSelector target = new X509CertSelector(); target.setCertificate((X509Certificate)cert); PKIXBuilderParameters params = null; try { params = new PKIXBuilderParameters(anchors, target); params.setRevocationEnabled(false); params.addCertStore(CertStore.getInstance("Collection", new CollectionCertStoreParameters(certs))); final CertPathBuilder builder = CertPathBuilder.getInstance("PKIX", "BC"); builder.build(params); } catch (final InvalidAlgorithmParameterException | CertPathBuilderException | NoSuchAlgorithmException e) { throw new IllegalStateException("Invalid certificate chain", e); } catch (final NoSuchProviderException e) { throw new CloudRuntimeException("No provider for certificate validation", e); } }
pkixParams.addCertStore(intermediateCertStore); CertPathBuilder builder = CertPathBuilder.getInstance("PKIX");
@Override public ManagerFactoryParameters configFor(KeyStore trustStore, Set<TrustAnchor> defaultTrustAnchors) { try { CertPathBuilder cpb = CertPathBuilder.getInstance("PKIX"); PKIXRevocationChecker rc = (PKIXRevocationChecker) cpb.getRevocationChecker();
@Override public ManagerFactoryParameters configFor(KeyStore trustStore, Set<TrustAnchor> defaultTrustAnchors) { checkArgument(url != null, "tls:custom-ocsp-responder requires the 'url' attribute"); checkArgument(trustStore != null, "tls:custom-ocsp-responder requires a trust store"); try { CertPathBuilder cpb = CertPathBuilder.getInstance("PKIX"); PKIXRevocationChecker rc = (PKIXRevocationChecker) cpb.getRevocationChecker(); rc.setOptions(EnumSet.of(PKIXRevocationChecker.Option.NO_FALLBACK)); if (url != null) { rc.setOcspResponder(new URI(url)); } if (certAlias != null) { if (trustStore.isCertificateEntry(certAlias)) { rc.setOcspResponderCert((X509Certificate) trustStore.getCertificate(certAlias)); } else { throw new IllegalStateException("Key with alias \"" + certAlias + "\" was not found"); } } PKIXBuilderParameters pkixParams = new PKIXBuilderParameters(trustStore, new X509CertSelector()); pkixParams.addCertPathChecker(rc); return new CertPathTrustManagerParameters(pkixParams); } catch (GeneralSecurityException | URISyntaxException e) { throw new RuntimeException(e); } }
CertPathBuilderResult buildResult = CertPathBuilder.getInstance("PKIX").build(pbParams);
CertPathBuilder builder = CertPathBuilder.getInstance("PKIX"); return (PKIXCertPathBuilderResult) builder.build(pkixParams);
/** * Get a CertPathBuilder * * @return a CertPathBuilder * @throws NoSuchAlgorithmException * If the algorithm name is unknown or unsupported */ public CertPathBuilder getCertPathBuilder() throws NoSuchAlgorithmException { String name= getCertPathBuilderName(); Provider provider= providers.getProvider(name); CertPathBuilder certPathBuilder; if (provider == null) { certPathBuilder= CertPathBuilder.getInstance(name); } else { certPathBuilder= CertPathBuilder.getInstance(name, provider); } LOGGER.debug(FOUND_CL_ALG_PROV, certPathBuilder.getClass().getName(), name, certPathBuilder.getProvider().getName()); return certPathBuilder; }
KeyStore ts = KeyStore.getInstance("JKS"); FileInputStream tfis = new FileInputStream(trustStorePath); ts.load(tfis, trustStorePass.toCharArray()); KeyManagerFactory kmf = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm()); TrustManagerFactory tmf = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm()); // initialize certification path checking for the offered certificates and revocation checks against CLRs CertPathBuilder cpb = CertPathBuilder.getInstance("PKIX"); PKIXRevocationChecker rc = (PKIXRevocationChecker)cpb.getRevocationChecker(); rc.setOptions(EnumSet.of( PKIXRevocationChecker.Option.PREFER_CRLS, // prefer CLR over OCSP PKIXRevocationChecker.Option.ONLY_END_ENTITY, PKIXRevocationChecker.Option.SOFT_FAIL, // handshake should not fail when CRL is not available PKIXRevocationChecker.Option.NO_FALLBACK)); // don't fall back to OCSP checking PKIXBuilderParameters pkixParams = new PKIXBuilderParameters(ts, new X509CertSelector()); pkixParams.addCertPathChecker(rc); tmf.init( new CertPathTrustManagerParameters(pkixParams) ); // init KeyManagerFactory kmf.init(...) SSLContext ctx = SSLContext.getInstance("TLS"); ctx.init(kmf.getKeyManagers), tmf.getTrustManagers(), null);
final CertificateFactory certificateFactory = CertificateFactory.getInstance("X.509"); final X509Certificate certificateToCheck = (X509Certificate) certificateFactory.generateCertificate(new ByteArrayInputStream(certBytes)); final KeyStore trustStore = KeyStore.getInstance("JKS"); InputStream keyStoreStream = ... trustStore.load(keyStoreStrem, "your password".toCharArray()); final CertPathBuilder certPathBuilder = CertPathBuilder.getInstance("PKIX"); final X509CertSelector certSelector = new X509CertSelector(); certSelector.setCertificate(certificateToCheck); final CertPathParameters certPathParameters = new PKIXBuilderParameters(trustStore, certSelector); final CertPathBuilderResult certPathBuilderResult = certPathBuilder.build(certPathParameters); final CertPath certPath = certPathBuilderResult.getCertPath(); final CertPathValidator certPathValidator = CertPathValidator.getInstance("PKIX"); final PKIXParameters validationParameters = new PKIXParameters(trustStore); validationParameters.setRevocationEnabled(true); // if you want to check CRL final X509CertSelector keyUsageSelector = new X509CertSelector(); keyUsageSelector.setKeyUsage(new boolean[] { true, false, true }); // to check digitalSignature and keyEncipherment bits validationParameters.setTargetCertConstraints(keyUsageSelector); final PKIXCertPathValidatorResult result = (PKIXCertPathValidatorResult) certPathValidator.validate(certPath, validationParameters); System.out.println(result);
X509CertSelector certSelector = new X509CertSelector(); certSelector.setSubject(x509certificate.getSubjectX500Principal()); PKIXParameters params = new PKIXBuilderParameters(store,certSelector); CertStore cstore = CertStore.getInstance("Collection", new CollectionCertStoreParameters(Arrays.asList(icert1, icert2 /*, other certs... */))); params.addCertStore(cstore); CertPathBuilder cpb = CertPathBuilder.getInstance(CertPathBuilder.getDefaultType()); CertPath certPath = cpb.build(params).getCertPath();
CertPathBuilder cpb = CertPathBuilder.getInstance("PKIX"); X509CertSelector certSelector = new X509CertSelector(); certSelector.setCertificate((X509Certificate) myKeyStore.getCertificate("mykey")); PKIXBuilderParameters cpp = new PKIXBuilderParameters(trustAnchors, certSelector); cpp.addCertStore(cs); cpp.setRevocationEnabled(true); cpp.setMaxPathLength(6); cpp.setDate(new Date()); CertPathBuilderResult a = cpb.build(cpp); CertPath certPath = a.getCertPath();
public static void validateCertificateChain(KeyStore ks, List<X509Certificate> inCerts) { // Initial chain validation, to be enhanced as needed try { X509CertSelector certSelect = new X509CertSelector(); certSelect.setCertificate(inCerts.get(0)); PKIXBuilderParameters pbParams = new PKIXBuilderParameters(ks, certSelect); pbParams.addCertStore(CertStore.getInstance("Collection", new CollectionCertStoreParameters(inCerts))); pbParams.setMaxPathLength(-1); pbParams.setRevocationEnabled(false); CertPathBuilderResult buildResult = CertPathBuilder.getInstance("PKIX").build(pbParams); CertPath certPath = buildResult.getCertPath(); CertPathValidator.getInstance("PKIX").validate(certPath, pbParams); } catch (Exception ex) { LOG.warning("Certificate path validation error"); throw new JoseException(ex); } } public static X509Certificate[] toX509CertificateChainArray(List<String> base64EncodedChain) {
public static void validateCertificateChain(KeyStore ks, List<X509Certificate> inCerts) { // Initial chain validation, to be enhanced as needed try { X509CertSelector certSelect = new X509CertSelector(); certSelect.setCertificate(inCerts.get(0)); PKIXBuilderParameters pbParams = new PKIXBuilderParameters(ks, certSelect); pbParams.addCertStore(CertStore.getInstance("Collection", new CollectionCertStoreParameters(inCerts))); pbParams.setMaxPathLength(-1); pbParams.setRevocationEnabled(false); CertPathBuilderResult buildResult = CertPathBuilder.getInstance("PKIX").build(pbParams); CertPath certPath = buildResult.getCertPath(); CertPathValidator.getInstance("PKIX").validate(certPath, pbParams); } catch (Exception ex) { LOG.warning("Certificate path validation error"); throw new JoseException(ex); } } public static X509Certificate[] toX509CertificateChainArray(List<String> base64EncodedChain) {
KeyStore trustAnchors = getTrustAnchors(); X509CertSelector target = new X509CertSelector(); target.setCertificate(signerCertificate); PKIXBuilderParameters params = new PKIXBuilderParameters(anchors, target); CertStoreParameters additionalCerts = new CollectionCertStoreParameters(allOtherCerts) params.addCertStore(CertStore.getInstance("Collection", additionalCerts)); CertStoreParameters revocationObjects = new CollectionCertStoreParameters(allCRLs); params.addCertStore(CertStore.getInstance("Collection", revocationObjects)); CertPathBuilder builder = CertPathBuilder.getInstance("PKIX"); PKIXCertPathBuilderResult r = (PKIXCertPathBuilderResult) builder.build(params); /* if the build method returns without exception, the certificate chain is valid */